Simple & easy way to jail users
Solution 1
Jailkit is a set of utilities that can limit user accounts to a specific directory tree and to specific commands. Setting up a jail is much easier using the Jailkit utilities that doing so 'by hand'. A jail is a directory tree that you create within your file system; the user cannot see any directories or files that are outside the jail directory. The user is jailed in that directory and it subdirectories.
Download & Install:
http://olivier.sessink.nl/jailkit/index.html#download
VERSION=2.20 # from November 2018
cd /tmp
wget https://olivier.sessink.nl/jailkit/jailkit-$VERSION.tar.gz
tar -zxvf jailkit-$VERSION.tar.gz
cd jailkit-$VERSION/
./configure
make
su -
make install
Setting up the jail
Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:
mkdir /home/jail
chown root:root /home/jail
jk_init -v /home/jail basicshell
jk_init -v /home/jail netutils
jk_init -v /home/jail ssh
jk_init -v /home/jail jk_lsh
Add a user
Add a new user with a home directory and bash shell, and set the password:
useradd -d /home/jailtest -m jailtest -s /bin/bash
passwd jailtest
Now it’s time to jail this user
use the following command:
jk_jailuser -m -j /home/jail jailtest
Your /etc/passwd
should contain something like this now:
jailtest:x:1001:1001::/home/jail/./home/jailtest:/usr/sbin/jk_chrootsh
Enable bash
By using jk_cp the bash libraries are copied to the jail:
jk_cp -v -f /home/jail /bin/bash
Edit /home/jail/etc/passwd
replace this line:
jailtest:x:1001:1001::test:/usr/sbin/jk_lsh
with this:
jailtest:x:1001:1001::/home/jailtest:/bin/bash
Maintenance
By using jk_update
updates on the real system can be updated in the jail.
A dry-run will show what’s going on:
jk_update -j /home/jail -d
Without the -d argument the real update is performed. More maintenance operations can be found here.
(In case /home/jail/opt
is missing, create it with mkdir -p /home/jail/opt/
And run jk_update -j /home/jail
again)
Give access to other directories
You can mount special folders, that the jail user may acces now. E.g.:
mount --bind /media/$USER/Data/ /home/jail/home/jailtest/test/
Help Taken
http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html
http://olivier.sessink.nl/jailkit/index.html#intro ( a very good help )
This is been checked & verified , Working Properly
Solution 2
You can not confine them to /home as they need access to the system binaries and bash and configuration files in /etc
IMO the easiest method of securing users is to use apparmor.
You make a hard link
ln /bin/bash /usr/local/bin/jailbash
You add jailbash to /etc/shells
You then assign jailbash to the users shell, and then write an apparmor profile for jailbash allowing minimal access.
sudo chsh -s /usr/local/bin/jailbash user_to_confine
You will have to write an apparmor profile yourself, but I have a profile you could potentially start with
http://bodhizazen.com/aa-profiles/bodhizazen/ubuntu-10.04/usr.local.bin.jailbash
Solution 3
It's difficult to guess what purpose you might want to accomplish. If it is to deny ssh/sftp while providing jailed access via FTP... easy:
Add to /etc/shells a new shell:
sudo -e /etc/shells
Add one line:
/bin/false
Save. For each user you want to deny ssh/sftp, change the user's shell:
sudo chsh -s /bin/false userx
Now userx cannot log in via ssh/sftp.
Install vsftpd:
sudo apt-get install vsftpd
Edit the config file:
sudo -e /etc/vsftpd.conf
And some changes....
anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
Save. Restart vsftpd:
sudo /etc/init.d/vsftpd restart
Related videos on Youtube
![One Zero](https://i.stack.imgur.com/9OfVg.png?s=256&g=1)
One Zero
Updated on September 18, 2022Comments
-
One Zero almost 2 years
I need a simple and easy way to jail users in their home directories in Oneiric. Do you have a simple configuration for jailing users, with full help, or some good web links?
I would be offering an online free public server with 10 to 20 GB free space. I don't know how many users. I want to give them SSH and SFTP so that they can connect through FileZilla.
-
One Zero over 12 years2nd update if users are not locked in home directories
-
Ali over 12 yearsthen I believe you 1-as mentioned by @Marco you want to try ChrootDirectory for SSH 2- you may want to go beyond the standard ways of doing things as you need to scale this to handle "a lot" of storage, ... 3- Is SSH your best choice? do people need SSH on your service? 4- Good luck
-
One Zero over 12 yearsi have other plan as well .... for normal users we would be offering only SFTP with MY SECURE SHELL , that's very easy 2 handle
-
Admin about 10 yearsHow can I remove this jail e.g.(home/jail)?<br> And when I add some jail section e.g. jk_init -v -f /home/jail netutils, how will I remove this?
-
-
Panther over 12 yearsJust be very careful with rbash, it is very easy to break out of and sort of considered outdated. See blog.bodhizazen.net/linux/how-to-restrict-access-with-rbash
-
Karlson over 12 years@bodhi.zazen You mean
rbash
? -
Panther over 12 yearsyes, sorry I fixed that. There was a blog several years ago where someone broke our of a rbash jail I set up, and I though it was tight, minimal jail. Took them less then 5 minutes. Not had anyone break out of jailbash.
-
Dom over 12 years
You can not confine them to /home as they need access to the system binaries and bash and configuration files in /etc
There is nothing stopping you from linking/copying files you feel they need. -
Panther over 12 yearsYes you "can" do as user606723 suggests, but it is not so easy, and IMO of all the potential solutions the least practical or easy. Might as well build a chroot or use lxc. You copy a binary, then the libs. Often you will manually need to identify libs with ldd. This method takes a ton of work to set up. And then you have to keep the jail up to date, you will have to manually update (copy) the binaries / libs. Links might work better in terms of updates, but you still need to set them all up. Somehow I do not think this is what the OP had in mind. How then to keep them confined ?
-
Dom over 12 yearsI think the whole point of the question was to point out tools to automate this process... like
jailkit
, a tool the OP mentions. -
One Zero over 12 yearswell i m want to give them ssh + sftp (connect through filezilla)
-
One Zero over 12 yearscan u plz tell me how do i configure it ....jailbash
-
One Zero over 12 years@bodhi.zazen . what u think about about this .. debootstrap (oneiric) then make a container using lxc . using jail kit > user to container > . what i did so far is i have debbootstrap oneiric minimum then used jailkit >working fine
-
Panther over 12 yearsyou can use LXC for this task, beware that isolation is sometimes incomplete with LXC. As long as users do not have root access in the container you should be OK and you may want to subscribe to the LXC mailing list.
-
One Zero over 12 years@bodhi.zazen. the thing i was thinking is that ...how users go straight to lxc containers ... is the same config i m using with debootstrap ?
-
Panther over 12 yearslxc is somewhat similar to a chroot (debootstrap), but it is a bit more complex. Some people use scripts to set up lxc.
-
One Zero over 12 yearsi did with jailkit , debootstrap ....i did it with lxc containers ...i have tested all things ....i just need a way to lock user's in there home directories
-
Dmitry Koroliov about 11 yearsThank you so much. I have tried all three top-voted answers and your one is the easiest. Actually it is the only one which worked for me.
-
Panther about 11 years@caligula - you are most welcome
-
hookenz over 10 yearsThis doesn't work on Ubuntu 13.10. When you try to finally login you get the welcome message immediately followed by connection closed.
-
c4f4t0r over 10 yearsyes, man bash helps, using bash restrited shell capabilities is more simply
-
ONOZ about 10 yearsMatt H: Make sure to follow the last two steps; copying the bash binaries and editing the /home/jail/etc/passwd file.
-
Attila Fulop over 9 yearsI also had the connection closed issue immediately after the welcome message. I changed the login shell within the chroot passwd file from jk_lsh to bash as read here linuxquestions.org/questions/linux-software-2/… It is not a solution but a workaround!
-
PJunior almost 9 yearsTnks for your answer. Unfortunately I wasn't able to configure it correctly so the user could connect via sftp. :( Sep 23 05:39:31 nsXXXXXX jk_chrootsh[2701]: now entering jail /home/jail for user usersftp (1001) with arguments -c /usr/lib/openssh/sftp-server Sep 23 05:39:31 nsXXXXXX sshd[2700]: Received disconnect from 84.91.XXX.XXX: 11: disconnected by user
-
alper about 6 yearsIt seems that the solution does not work anymore on latest ubuntu version: I have done
sudo su - testuser
but nothing happens. What should I do? Andsudo -su testuser
opens at under jail user directory but I can still see others' directory. @MariusMatutiae -
rubo77 over 5 yearsI edited the anwser: enhance formatting, updated Version to 2.20 and create a variable for it; added
su -
at the right position and renamed testuser to jailtest, to avoid attacks and collitions with other testusers – this works fine on my Ubuntu 18.10 -
rubo77 over 5 yearsBut it doesn't seem to work on Debian (tested on wheezy and stretch). Here ist the -vvv ssh log: pastebin.com/Mwbsz4Wq